B. Open the corresponding NIC and set to mixed mode:
Before you here, you have to have a message to choose a NIC, and get the code of the NIC's name, since it already gains the name of all NICs, this code is temporarily slightly.
We mainly use the PCAP_OPEN_LIVE function, but this function WinPCap's development team has suggests that it is replaced with a PCAP_Open function, but because of my code is PCAP_OPEN_LIVE, it is not convenient to modify, but PCAP_OPEN_LIVE uses no problem The following is a function declaration of PCAP_OPEN_LIVE:
/ **************************************************
PCAP_T * PCAP_OPEN_LIVE (Char * Device,
Int snake,
Int Promisc,
INT to_MS,
Char * ebuf
)
Features:
Open the NIC according to the NIC name and set to mixed mode, then return to its handle
parameter:
Device: It is the name of the NIC we have obtained before.
Snaplen: We get the length of the data from each packet, such as 100, each time we just get 100 lengths of each packet, there is no special needs, set it to 65535 maximum value. a;
Promisc: This parameter is to set whether the network card is set to "Mixed Mode" and set to 1;
TO_MS: Timeout, millisecond, typically set to 1000.
return value:
PCAP_T: Similar to a network card "handle", of course, this parameter is the back intercepted data to be used.
*********************************************************** *************************** /
Although it looks more complicated, it is still very simple, in fact, 1 line is OK:
PCAP_T * ADHANDLE;
CHAR ERRBUF [PCAP_ERRBUF_SIZE];
/ / Open the NIC and set to mixed mode
// pcardName is the NIC name parameter from the previous
Adhandle = PCAP_OPEN_LIVE (PcardName, 65535, 1, 1000, Errbuf);
C. Intercepting the packet and saves the file: -------------------------------------- ----------------
Of course, you don't save the packet as a file, but if you don't save, you can only analyze the moment that intercepted into the packet, and there is no ^ _ ^
So, in order to facilitate the analysis, the master and my individual often analyze the packets slowly analyze.
But pay attention to network traffic, pay attention to the hard disk space when traffic is very large, often have a few megaby things in a few seconds.
Let's first explain in detail below, the WinPCAP function you need to use in this step:
/ ************************************************** ************
PCAP_DUMPER_T * PCAP_DUMP_OPEN (PCAP_T * P,
Const char * fname
)
Features:
Establish or open the file that stores the contents of the packet, and returns its handle
parameter:
PCAP_T * P: Net card handle opened in front;
Const char * fname: The file name to be saved
return value:
PCAP_DUMPER_T *: Save the description of the file, detail, we don't have to care
*********************************************************** ************* /
/ ************************************************** *************
INT PCAP_NEXT_EX (PCAP_T * P,
Struct PCAP_PKTHDR ** PKT_HEADER,
u_char ** pkt_data
)
Features:
Read data content from the NIC or packet file
parameter:
PCAP_T * P: Net card handle
Struct PCAP_PKTHDR ** PKT_HEADER: Not a packet of packets, just a header related to packet capture drive
U_CHAR ** PKT_DATA: Pointer to packet content, including protocol headers
return value:
1: If you successfully read the packet
0: PCAP_OPEN_LIVE () does not read the content within the timeout time
-1: Error
-2: After reading the file, I read it.
*********************************************************** ************* /
/ ************************************************** *************
Void PCAP_DUMP (U_CHAR * User,
Const struct pcap_pkthdr * h,
Const U_CHAR * SP
)
Features:
Write the packet content to the file specified in PCAP_DUMP_OPEN ()
parameter:
u_char * user: Net card handle
Const struct pcap_pkthdr * h: Not a packet of packets, just a header associated with packet capture
Const U_CHAR * SP: Packet Content Pointer
return value:
Void
*********************************************************** ************* /
The code for a complete capture packet is given, which is written in the thread. For the program clear, I have dropped the error handling code and the code exit, the complete code can download the sample source code, old rules, important Steps are marked with bold characters.
We are actually in capturing a packet, and it is best to put the code into another thread.
/ ************************************************** *********
* Process:
* This is the core part of the program and completes the interception of the packet.
* Parameters:
* PPAram: Name of the network card selected to capture data
*********************************************************** ******* /
Uint CaptuRethread (LPVOID PPARAM)
{
Const char * pcardname = (char *) PPARAM; // conversion parameters, get the NIC name
PCAP_T * ADHANDLE;
CHAR ERRBUF [PCAP_ERRBUF_SIZE];
/ / Open the NIC and set to mixed mode
Adhandle = PCAP_OPEN_LIVE (PcardName, 65535, 1, 1000, Errbuf); {PCAP_DUMPER_T * DUMPFILE
/ / Establish a file that stores intercepted packets
DUMPFILE = PCAP_DUMP_OPEN (Adhandle, "Packet.dat");
Int Re;
PCAP_PKTHDR * HEADER; // HEADER
U_CHAR * PKT_DATA; // Packet Content Pointer
// Do not read packet information from the network card or file
While ((RE = PCAP_NEXT_EX (Adhandle, & Header, (Const U_CHAR **) & PKT_DATA))> = 0)
{
// Subscribe the captured packet into the file
PCAP_DUMP ((unsigned char *) Dumpfile, Header, PKT_DATA);
}
Return 0;
}
Add a thread to the program started inside. . . Wait, how to start this thread, don't tell me, you can like this code.
:: AfxBeginthread (CaptuRethread, chnic); // chnic is the name of the NIC, Char * Type
After a thread is started (there is an effect in a few seconds), you can see that the packet has been intercepted and stored in the packet.dat file in the program directory.
============================================================================================================================================================================================================= ===
At this point, the interception method of the data package is over, everyone looked at this article, in fact, you must also understand, whether it is Raw Socket method or WinPCap method, it is very simple, really there is something, just Will make people who don't understand the principles look mysterious, isn't it?
Oh, but don't be happy too early, this saved packet file, you can try to open this file with UltraEdit, is it most of it? There is basically no readability because:
The packet captured at this time is not just simple data information, but includes the most original data information of the IP header, TCP head and other information heads, which retains its original appearance when it is transmitted. Some information about the network can be obtained by analyzing these raw information transmitted at low-level information. Since these data have passed the package of the network layer and the transport layer, the packet is required to analyze the packet according to its additional frame header.
Oh, so the road we have to go is still very long, this is just getting started, ^ _ ^
Please look forward to the next series of this series
"Hand teaches you to analyze the packet"
The source code of this article will also be released together in the next article.
-------- Made in dLUT | DIP
-------- Finished AT
2004-06-23
